[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Container data and uid/gid





> On Jan 13, 2015, at 11:12 AM, Stephen C. Tweedie <sct redhat com> wrote:
> 
> Hi,
> 
>> On Mon, 2015-01-12 at 18:03 -0500, Colin Walters wrote:
>>> On Wed, Jan 7, 2015, at 05:14 PM, Matt Micene wrote:
>>> 
>>> I may be overstating the case a bit, but ensuring uid/gid matches on
>>> shared volumes (regardless of Docker or otherwise) has always been a
>>> manual process.
>> 
>> Right, generally.  The current Fedora recommendations are here:
>> 
>> https://fedoraproject.org/wiki/Packaging:UsersAndGroups
>> 
>> Which let's be honest, "fork the setup package and add an Epoch" is
>> pretty terribly ugly.
>> 
>> So to reiterate briefly the reason manageable uid/gid allocation is
>> important in Atomic is that:
>> 
>> - Containers allow a lot of flexibility, except uid/gid is an anchor
>> dragging it down
>> 
>> - To implement atomic upgrades, rpm-ostree requires distinguishing
>> locally added users from OS vendor users
> 
> Is it over-complicating things to expect the uid to be allocated by the
> container or the container app?
> 
> There's a clear advantage to running a container as non-root.  But
> containers already have some level of isolation from each other; so do
> we need a per-application uid?  

At a cluster level yes, so that technologies like nfs can be applied to the cluster.  We are getting pushed extremely hard to have this in OpenShift 2 (we already use uid randomization and guarantee no overlap).  I don't see how this doesn't become part of OpenShift 3 or immediately after. 

> 
> It might well be enough just to have a single "docker" or "docker-app"
> uid/gid, and run all containers using that same uid.
> 
> There would still be at least some reduction in security if you
> accidentally share the same volume between the wrong containers... but
> then, don't do that.  And the advantage over running as root is still
> huge (you're not running the app with write access to its entire
> runtime), and it's easy to keep the uid consistent between the host and
> its containers.
> 
> Or do we really need the uids to be per-app?
> 
> --Stephen
> 
> 
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]